AS Ühisteenused – Court Ruling (Estonia, 2024)

The data subject brought an action against AS Ühisteenused, a company providing parking services ('controller 1'). The company that made a claim against the data subject arising from a contractual penalty in the amount of €79,57 for a car parking violation. According to a debt notice of 29 April 2022 sent to the data subject, the violation occurred on the 17 April 2019 and the penalty was to be paid by 2 May 2019. The data subject sold the car on 27 August 2019, and was not aware of AS Ühisteenused's parking regulations or the alleged violation on 17 April 2019, as they did not personally use the car. On 25 March 2022, AS Ühisteenused and Julianus Inkasso OÜentered, a debt collection company (‘controller 2’) entered into an agency agreement on the basis of which and Julianus Inkasso OÜ was authorized to represent AS Ühisteenused in the recovery of the debt owed by the data subject. As two controllers jointly determined the purposes and means of processing, they became joint controllers under Article 26 GDPR. As a result, the data subject’s debt was published on the website taust.ee (eng translation: background.ee) by Julianus Inkasso OÜ. On 29 May 2022, the data subject requested both controllers to stop processing their personal data and delete them from the website. According to [https://www.riigiteataja.ee/akt/106072023098 §146 of the Estonian Civil Code], the expiry date for the request arising from a violation of the law is three years. Since the penalty was to be paid by 2 May 2019, the three-year deadline expired on 3 May 2022 and the claim was therefore time-barred. Therefore, the data subject asked a court to order the controller 2 to delete the debt information linked to them and to pay €270 by way of damages for per-litigation legal costs. In its reply, controller 1 stated that they have a right to disclose this type of data. In particular, under [https://www.riigiteataja.ee/akt/104012019011 § 10(2)(5) of the Estonian Data Protection Act], the transf